04 May, 2012

suPHP vs CVE-2012-1823

I needed to investigate CVE-2012-1823 for a few sites that I help look after.

They all use suPHP (some of them via cPanel, some directly configured).

I couldn't find anything in Google about whether CVE-2012-1823 affects suPHP - they all talk about php-cgi, and suPHP does something very similar, but with a bit more functionality.

As far as I can tell, the exploit comes specifically from CGI handling; and relates to how a URL turns into an invocation of PHP.

From looking at the suPHP source code, it looks like that exploit path is not available. The arguments to pass to PHP seem to be formed totally differently in suPHP compared to a CGI execution.

I'd love to hear anyone else's opinion though...

1 comment:

  1. Anonymous4/5/12 15:13

    The "file.php?-s" test on my suPHP environments don't seem to work, this is leading me to believe that suPHP is not affected by this.

    But I've not found any other claims that duplicate or support this. This blog post was the best that I could find, and it seems to support my findings. But would love to hear from other suPHP users.